1. Data Controller & Legal Framework
Onyx Dynamics Ltd ("we", "us", "our") processes personal data in accordance with the Mauritius Data Protection Act 2017 (DPA) and, where applicable to EU data subjects, the General Data Protection Regulation (EU) 2016/679 (GDPR).
Data Controller:
Onyx Dynamics Ltd
The Trademark, 550 La Promenade
2nd Floor, Offices 201 & 202
Telfair, 80829, Moka, Republic of Mauritius
Data Protection Officer: Jan Nagel
Email: contact@e-foil.mu
2. International Data Transfers (Schrems II Compliance)
We are domiciled in the Republic of Mauritius. However, our technical infrastructure relies on sub-processors located in third countries (specifically the USA and EU). We ensure the protection of your data through the following mechanisms:
- Adequacy Decisions: Transfers to the EU (or from EU to Mauritius) are covered by the European Commission's adequacy decision regarding Mauritius.
- Standard Contractual Clauses (SCCs): For transfers to US-based providers (Cloudflare, Google, Meta), we rely on the European Commission's 2021 Standard Contractual Clauses (Module 2: Controller to Processor) combined with supplementary technical measures (encryption at rest and in transit).
2.1 Authorized Sub-Processors
- Cloudflare, Inc.: Website hosting, CDN, security, and performance. Data may be processed globally on Cloudflare's network.
- Google LLC: Tag Manager, Analytics, Ads, Fonts, and embedded YouTube content where used on this site.
- Meta Platforms, Inc.: Meta Pixel, Facebook/Instagram advertising measurement, and WhatsApp customer communication.
- Microsoft Corp (Office 365): Email, scheduling, and administrative document storage.
3. Purpose & Legal Basis of Processing
We only process data where we have a clear legal basis. The following table outlines our processing activities:
| Processing Activity | Data Points | Legal Basis (GDPR / DPA) | Retention Period |
|---|---|---|---|
| Website Security | IP Address, User Agent, Referrer |
Legitimate Interest (Art. 6(1)(f)) Network security and fraud prevention. | 30 days (log files) |
| Website Analytics & Marketing | Device identifiers, browsing events, page views, campaign attribution |
Consent (Art. 6(1)(a)) Only after opt-in via cookie banner. | Per vendor policy (typically 14–26 months) |
| Quotes & Invoicing | Name, Billing Address, Email, Phone |
Contractual Necessity (Art. 6(1)(b)) Performance of service/sale. | 7 years (Statutory tax obligation per MRA) |
| Demo Booking | Name, Phone, Physical Location |
Contractual Necessity (Art. 6(1)(b)) Logistics coordination. | 3 years post-service (Civil liability limitation) |
| Chatbot / WhatsApp | Message Content, Phone No. |
Consent (Art. 6(1)(a)) Voluntary initiation of contact. | Until thread deletion or 12 months inactivity |
4. Communication via WhatsApp
Specific Disclosure Regarding WhatsApp
We offer communication via WhatsApp for your convenience. By initiating a chat with us on WhatsApp, you acknowledge and accept that:
- Metadata Processing: WhatsApp (Meta) processes metadata (who communicated with whom, when, and from where) independently of Onyx Dynamics Ltd.
- Jurisdiction: This metadata may be processed in the United States under US surveillance laws (e.g., FISA 702).
- Consent: If you do not wish to assume this risk, please contact us via email or telephone instead.
5. Your Rights (DSAR)
Under the Mauritius DPA and GDPR, you have the right to request access, rectification, erasure, or portability of your data.
- To exercise rights: Email contact@e-foil.mu with the subject line "DSAR Request".
- Response Time: We are legally required to respond within 30 days.
- Right to Complain: You have the right to lodge a complaint with the Mauritius Data Protection Office or your local supervisory authority.
6. Security Measures & Breach Protocol
Security Controls: We implement SSL/TLS encryption for data in transit. Access to personal data is restricted to employees with a specific operational need.
Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify:
- The Data Protection Office (Mauritius) within 72 hours of becoming aware of the breach.
- Affected users without undue delay, if the breach poses a high risk to their personal security.
7. Cookies & Similar Technologies
We use strictly necessary cookies for site function and security. Optional analytics and marketing cookies are blocked until you provide explicit opt-in consent. For full details on trackers used on this website — including Google Tag Manager, Google Analytics, Meta Pixel, and YouTube embeds — please read our Cookie Policy.
See also: Imprint · Cookie Policy · Terms & Conditions
